When accessing an internet environment, user equipment likely needs a certain type of access service. Providers of such access service include a wire Digital Subscriber Line (DSL), a Cable system, a Wireless Local Area Network (WLAN) access and a Wireless Metropolitan Area Network (WiMAX) access, etc. Typically, a terminal of an access system is called a general access point. For example, the general access point may be a WLAN Access Point (AP), a WiMAX Base Station (BS), or an access device of a DSL system end office and the like.
When user equipment accesses the internet via the general access point, security problems may exist in the link between the user equipment and the general access point. For example, an intruder may obtain the key of a user using security vulnerabilities existing in the user end modem of the DSL system, or the intruder may pretend to be a general access point via wireless links to induce the user to enter some networks containing illegal contents which leads to the waste of time and energy of the user.
With respect to all kinds of attacks, access networks employ various security mechanisms. For example, the WLAN and the WiMAX both support the security mechanism based on public key infrastructure. Being compared with a security mechanism based on symmetric key, the security mechanism based on public key infrastructure can provide a non-repudiation function, thus avoiding some conflicts between the user and the access network service provider. For example, regarding a charged access service provided by the access network service provider to the user, if the security mechanism is only based on symmetric key, i.e. the key held by the user and that held by the access network service provider are identical, it is hard to determine whether the charged access service is open upon user authorization or is open by the service provider. However, if the security mechanism is based on public key infrastructure, the above problem can be solved using signature techniques.
The public key infrastructure refers to secure infrastructure having generalities which implements and provides security services using the concept and techniques of public key, and can provide security services such as verification, integrity, security and the like, and supports secure communication, secure timestamp, notarization, non-repudiation, and privilege management, etc. Public key certificate and certificate authority are two important concepts in the public key infrastructure. Specifically, the public key certificate refers to a group of data which is attached with a signature and contains a particular entity name and the public key of the entity. The public key certificate is typically issued by the certificate authority, and the signature in the public key certificate is provided by the certificate authority. By way of providing a signature, the certificate authority verifies the binding relationship between the holder of the public key certificate and the public key of the holder. The signature provided by the certificate authority is generated by the certificate authority using signature algorithms.
The public key certificate authenticated by the certificate authority often has a life time, and the certificate is invalid upon termination of the life time. If a private key corresponding to the public key certificate is leaked, the public key certificate should also be invalid. In addition, there are other conditions that may lead to the public key certificate to be invalid. For example, original information is invalid after a certain entity changes its job. In network communications, it is very important to obtain the status of the public key certificate, i.e. whether the public key certificate is still valid. Participant entities in the network communications always refuse to establish a secure communication with a participant entity holding invalid public key certificate.
Conventionally, the public key certificate status is often obtained using two types of approaches as follows:
First approach: the public key certificate status is obtained by downloading a Certificate Revocation List (CRL), including total certificate list downloading and incremental certificate list downloading. When it is required to verify the status of a certain public key certificate, a certain entity downloads a latest Certificate Revocation List, to thus check whether the public key certificate to be verified is in the latest Certificate Revocation List. The approach of incremental certificate list reduces the amount of the certificate to be downloaded each time, and the corresponding method for verifying a public key certificate is similar to that of total revocation list downloading. There are other approaches of such a comparing-after-downloading type, such as Certificate Revocation List distribution points, indirect Certificate Revocation List and the like.
Second approach: the public key certificate status is obtained by an online query mechanism, such as the Online Certificate Status Protocol (OCSP). The OCSP mainly relates to two entities, i.e. the client and the server, and is a typical client/server structure. The client sends a request to the server, and the server returns a response. A series of certificates required to be verified are contained in the request, and the verification interval and the status of the series of certificates are contained in the response. In addition to the OCSP, there is still another online query mechanism which is called the Simple Certification Validation Protocol (SCVP). The SCVP is a protocol having much more functions than the OCSP, including a certificate path discovery function and a certificate path construction function, as well as the functions of the OCSP. Generally speaking, the SCVP is still in a two-tuple structure of client/server.
To obtain the public key certificate status by the access network using the above approaches generally results in problems as follows:
First, the storage resources of the user equipment may has a limitation, or the user does not wish to store the Certificate Revocation List at all, thus leading to a difficulty in the implementation of periodically downloading Certificate Revocation List to the user equipment. Although there is often no resource limitation for the access network, a policy limitation may exist in the access network. Meanwhile, the approach of downloading the Certificate Revocation List also goes against a central management of Certificate Revocation Lists, and also brings an overhead to the network bandwidth. Particularly, when the user equipment is unable to store the Certificate Revocation List, the access network needs additional overheads to store and maintain the synchronization of the Certificate Revocation List.
Further, when using the online query mechanism, the user needs to execute separate protocols via a background server, such as the OCSP or the SCVP and the like, and the access network also needs to execute separate protocols such as the OCSP or the SCVP in corporation with the background network. These protocols often operate over the HTTP protocol, which is an application layer protocol. However, the certificate status verification often occurs at a time at which neither secure link nor connection between the user and the access network is established, so that direct use of these protocols is very complicated. Even applicable for use, it is also required to use the user equipment/server and the general access point/server architecture to accomplish implementation.
Thus, conventionally, a method for obtaining a public key certificate status applicable for the network architecture of user equipment, a general access point and a server is likely unavailable.